Not all identities and breaches are equal or lend themselves to same level of protection.
“The Russian influence campaign had real and substantial effects—and the data of private individuals was critical to conducting the con. Russian operatives purchased stolen U.S. identities, which they used to open U.S. bank and PayPal accounts and to buy access on U.S.-based servers; they then purchased Facebook ads and “buttons, flags, and banners” for political rallies.”
I did not hear of that “critical” part. What must-have access to what U.S.-based servers requiring U.S. bank and PayPal accounts? Ads do not need to be purchased by US residents or citizens but any ad agency, fake news outlet or entity.
The posing as real Americans argument is weak, it was not a skilled stealing of identity but an easy to pull off and hard to stop impersonation. Targeting real people with fake news was the real citizen related problem but that was a Facebook ad revenue feature.
Rather than bundling all breaches under one data breach/privacy umbrella issue, it is more properly addressed as a tool in the context issue: cyber crime, cyber espionage, information warfare, political interference, etc.
Theft of private individuals’ information tends to be viewed as serious only when people suffer direct harm. But such theft can have much larger consequences.